Folks, in Bruce Schneier's latest newsletter<https://www.schneier.com/crypto-gram-1403.html>there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0<http://dll.paretologic.com/detail.php/msv1_0>.dll only stores half a user's hash in the registry). *Greg K*
